Certify A Primary Key
When you imported a key (be in primary secret key or primary public key), or you were given a primary public key for applying certification, you need to do what it is called "certify" process. This guide shows you how to certify a given primary secret key or primary public key.
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascImport The Target Primary Key
The next thing is to ensure the target primary key is available in your local GnuPG keyring. Go ahead and import the keyfile:
Apply Certification
Now is to apply the certification.
Identify Your Primary Key ID
We start off by obtaining your primary key ID and the targeted sub-key. This is by using the following command and find your key:
gpg --list-secret-keysExample:
$ gpg --list-secret-keys ...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]In the example above,
- The primary key ID is:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to export.
Identify Target Primary Key ID
The next step is to identify the target primary key ID. This is done through the following command:
gpg --list-keysExample:
$ gpg --list-keys...---------------------------...sec rsa4096 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ unknown ] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>ssb rsa4096 2018-09-23 [E]ssb rsa4096 2018-09-23 [E]ssb rsa4096 2018-09-23 [S]In the example above,
- The primary key ID is:
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9. Make sure this is the target key with unknown trust level.
Cerify Key
To certify key, you do the following command:
$ gpg -u <secret key ID> --sign-key <target public key ID>Based on the example above:
$ gpg -u AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF --sign-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9Verify Certification
The next step is to verify your certification. This is done through the following command again:
gpg --list-keysExample:
$ gpg --list-keys...---------------------------...sec rsa4096 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ full ] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>ssb rsa4096 2018-09-23 [E]ssb rsa4096 2018-09-23 [E]ssb rsa4096 2018-09-23 [S]In the example above,
- Notice the public key's trust level is now changed to FULL instead of unknown.
Export Back to Owner
Once you had verified the key, a good practice is to export back to owner and not back to keyserver. This allows the key owner to update the key on his/her part and allowing him/her to push the key to keyserver on his side.
That's all about certifying key.